From owner-freebsd-questions@FreeBSD.ORG Wed Dec 22 15:17:04 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8931C106564A for ; Wed, 22 Dec 2010 15:17:04 +0000 (UTC) (envelope-from nvidican@m2.vidican.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 16A038FC15 for ; Wed, 22 Dec 2010 15:17:03 +0000 (UTC) Received: by wwf26 with SMTP id 26so4923908wwf.31 for ; Wed, 22 Dec 2010 07:17:03 -0800 (PST) MIME-Version: 1.0 Received: by 10.216.17.202 with SMTP id j52mr10680064wej.36.1293031022937; Wed, 22 Dec 2010 07:17:02 -0800 (PST) Sender: nvidican@m2.vidican.com Received: by 10.216.188.18 with HTTP; Wed, 22 Dec 2010 07:17:02 -0800 (PST) X-Originating-IP: [136.1.1.105] In-Reply-To: <4D120895.2060002@infracaninophile.co.uk> References: <4D120895.2060002@infracaninophile.co.uk> Date: Wed, 22 Dec 2010 10:17:02 -0500 X-Google-Sender-Auth: ZiWeGmSNGmg-c57wsYr1d6y0q5s Message-ID: From: Nathan Vidican To: Matthew Seaman Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Port based VLAN X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Dec 2010 15:17:04 -0000 On Wed, Dec 22, 2010 at 9:17 AM, Matthew Seaman < m.seaman@infracaninophile.co.uk> wrote: > On 22/12/2010 11:15, Indexer wrote: > > Hi, > > > > I plan to make a FreeBSD based router sometime soon. I would like to be > able to do port based vlanning on the router, so that a client computer that > plugs into that socket is "dumb" to the vlans' existance. > > > > IE > > > > em0 - untagged > > em1 - vlan 1 > > em2 - vlan 2 > > > > Is what i want to achieve (as a simple example). This way i can use > unmanaged switches on em2, and all clients behind that are to the router on > vlan2 > > > > How does one go about this on freebsd. > > > > In /etc/rc.conf: > > ifconfig_em1="up -vlanhwtag" # You may or may not want hwtag -- try both > vlans_em1="vlan1" > ifconfig_em2='up -vlanhwtag" > vlans_em2="vlan2" > > create_args_vlan1="vlan 1" > ipv4_addrs_vlan1="192.168.12.34/24" > > create_args_vlan2="vlan 2" > ipv4_addrs_vlan2="192.168.56.78/24" > > The em0 i/f should be configured as usual. This will create virtual > interfaces vlan1 and vlan2 which you can apply firewall rules to etc. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > JID: matthew@infracaninophile.co.uk Kent, CT11 9PW > > I do this exact thing, where a single server port attaches to the switch as a trunk and carries multiple VLANS which are in-turn firewalled and routed amongst one another, my rc.conf (the pertinent parts anyways) looks like this: gateway_enable="YES" cloned_interfaces="vlan1 vlan190 vlan100 vlan200 vlan300 vlan400" ifconfig_em0="up" ifconfig_vlan1="up" ifconfig_vlan190="inet X.X.190.1/28 vlan 190 vlandev em0" ifconfig_vlan100="inet 10.0.1.1/26 vlan 100 vlandev em0" ifconfig_vlan200="inet 10.0.2.254/24 vlan 200 vlandev em0" ifconfig_vlan300="inet 10.0.3.254/24 vlan 300 vlandev em0" ifconfig_vlan400="inet 10.0.4.1/28 vlan 4 vlandev em0" firewall_enable="YES" Within my rc.firewall, the interfaces are vlan1, vlan190, vlan100, etc... the system sees each as if it were physically a different network card and I'm able to route/filter traffic as such. Note: I did have to add vlan support in my kernel for this, I'm using Intel 1000MT 1000BaseSX (fiber) card to a Cisco Catalyst 2948 which in turn connects on the other side as a trunked port. -- Nathan Vidican nathan@vidican.com